The LibSSH Security Bug in the Nutshell

Libssh, the direct competitor of OpenSSL has been disclosed of having a critical security flaw in its SSH protocol. A hidden backdoor was recently discovered that enable successful remote connection even with the lack of enough permission. It is with the use of SSH2_MSG_USERAUTH_SUCCESS SSH message replacing the expected SSH2_MSG_USERAUTH_REQUEST; the change was not clearly seen by the Libssh library, which interprets the command as a “Success”. This opens the server to unauthorized login, with the threat actor able to use the server for whatever purpose he deemed necessary.

The bug is now marked with a corresponding CVE number, CVE-2018-10933. The affected versions of libssh are versions prior to 0.7.6 and 0.8.4. Since Libssh is not a very popular ssh library, only a certain number of servers are affected, around 3,000 according to a research firm, Cybereason.

The OpenSSL library which is not affected by the bug is widely installed on universally all versions of Linux, MacOS, Android, iOS and Unix. It is also the monopoly in the browser space; it is considered as an open source SSL library for the masses. This is a good news for everyone. Since if the tables were turned and OpenSSL has been the affected library involved with the vulnerability, all devices we can imagine in use in the world today came with OpenSSL in one form or another – hence an astronomically bigger problem to face.

The most recent acquisition of Microsoft, the GitHub website for developers in connection with this discovered bug has informed the public that their version is not affected. As a mainstream open source software source repository, GitHub supports libssh as an alternative to OpenSSL but they are proactive enough to have the latest version deployed in their servers instead of the old vulnerable version.

“We use a custom version of libssh; SSH2_MSG_USERAUTH_SUCCESS with libssh server is not relied upon for pubkey-based auth, which is what we use the library for. Patches have been applied out of an abundance of caution, but [GitHub Enterprise] was never vulnerable to CVE-2018-10933,” explained by Github on Twitter.

The exploit against vulnerable versions of only covers the server-side. Client-side code of even with versions lower than 0.7.6 and 0.8.4 are not affected, unless the server-side backend is also installed. CVE-2019-10993 is not a zero-day exploit, and the bug has been disclosed responsibly to the developers and they have issued a quickly patched version to address the problem.